- Purple, 4500 points or more
I have an ASA at a DR site that I would like to be able to have it authenticate our telnet sessions via radius. The problem is that the radius server is at 10.10.10.52 and it would be out of the management interface. If I change the radius server configuration to point to the management interface instead of the inside interface, this works fine. I would LIKE to be able to have the same IP address on both the management and inside interfaces because if our main site goes down, then this ASA serves our VPN connections and authenticates to the same radius server. If the radius server is set to the management interface and the link between the DR and corporate goes down, then no one can authenticate if the corporate site were to go down. (We noticed this from a DR test over the weekend.)
My first thought was to create another radius server pointing to the same address on a different interface and change my aaa lines to reflect which radius server it should use, but because the same inside ip is used on this ASA as our corporate site, then this wouldn't work. The management ip address is 10.20.20.1 and the inside ip address is 10.10.10.67. Is there a way work around this? I don't think statics will work since the 10.10.10.0/24 is connected.